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We consider the quantum key expansion (QKE) protocol based on entanglement-assisted quantum 
error-correcting codes (EAQECCs). In these protocols, a seed of previously shared secret key is used 
in the post-processing stage of a standard quantum key distribution protocol like BB84, in order 
to produce a larger secret key. This protocol was proposed by Luo and Devetak, but codes leading 
to good performance have not been investigated. We look into a family of EAQECCs generated 
by classical finite geometry (FG) low-density parity-check (LDPC) codes, for which very efficient 
iterative decoders exist. A critical observation is that almost all errors in the produced secret key 
result from uncorrectable block errors that can be detected by an additional syndrome check and an 
additional sampling step. Bad blocks can then be discarded. We make some changes to the original 
protocol to avoid the consumption of secret key when the protocol fails. This allows us to greatly 
reduce the bit error rate of the key at the cost of a minor reduction in the key production rate, 
but without increasing the consumption rate of pre-shared key. We present numerical simulations 
for the family of FG LDPC codes, and show that this improved QKE protocol has a good net key 
production rate even at relatively high error rates, for appropriate choices of these codes. 



PACS numbers: 03.67.Dd,03.67.Hk,03.67.Ac,03.67.Pp 



I. INTRODUCTION 

A quantum key expansion protocol allows two par- 
ties, Alice and Bob, to expand a shared secret key by 
using one-way quantum communication and public clas- 
sical communication. Luo and Devetak [l[ demonstrated 
a QKE protocol, which is derived from the standard 
BB84 quantum key distribution (QKD) protocol with 
post-processing steps involving the use of entanglement- 
assisted Calderbank-Shor-Steane (CSS) codes. The pro- 
tocol is provably secure from an eavesdropper, Eve, based 
on a result by Shor and Preskill Q. 

The QKE protocol has a potential advantage over 
QKD, in that the original pair of classical codes con- 
sidered need not have the dual-containing property. The 
cost is that the parties involved have to pre-share a se- 
cret key. The classical codes correspond to entanglement- 
assisted quantum error-correcting code (EAQECC). The 
EAQECC construction is described by the formalism 
given by Brun, Devetak and Hsieh Q. 

In the CSS construction of Luo and Devetak's QKE 
protocol, a pair of classical linear codes with good error- 
correcting performance is needed. LDPC codes are clas- 
sical linear codes that have sparse parity-check matri- 
ces, and many families of LDPC codes have been studied 
and claimed to give good performance (see, e.g., (4HTo|). 
There were several recent studies on the performance of 
LDPC codes used for QKD [HI, [13. In this paper, LDPC 
codes constructed from finite geometry (FG) are consid- 
ered [1, [l(| , and methods to incorporate them into the 
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QKE protocol are proposed and explained. For simplic- 
ity, the quantum channel is modeled by the depolarizing 
channel. Given a tolerable bit error threshold e for the 
generated keys, the goal is to search for codes that maxi- 
mize the net key rate for given channel error parameters. 

The paper is organized as follows. In section II, we first 
introduce the QKE protocol of Luo and Devetak. We 
then propose modifications to the post-processing steps 
to improve performance. In section III, we discuss fam- 
ilies of LDPC codes generated by finite geometry. In 
section IV, we discuss simulation results using the im- 
proved QKE protocol from section II and the codes from 
section III, and we analyze their performance. In section 
V, we give conclusions and suggest possible work in the 
near future. 

The one-dimensional vectors appearing in this paper 
should always be considered as column vectors. The vec- 
tors are denoted with underline , and the matrices are 
denoted with boldface. The operations + and © are 
defined respectively as component-wise addition and ad- 
dition modulo 2. 



II. QUANTUM KEY EXPANSION 

The QKE protocol discussed in this paper is derived 
from the BB84 quantum key distribution protocol, us- 
ing CSS codes for error correction and privacy ampli- 
fication. The CSS code used for a BB84 QKD proto- 
col is derived from a pair of "dual-containing" classical 
linear codes. Most pairs of classical codes do not sat- 
isfy this requirement, but such pairs can be found. The 
dual-containing property requires that H^H^ = to 
be satisfied, where H\ and H2 are the parity-check ma- 
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trices of the two codes. The QKE protocol, however, 
does not require the pair of classical codes have the dual- 
containing restriction. The idea is to interpret the code 
as an entanglement- assisted code rather than a standard 
quantum code, and the cost is that the two parties in- 
volved must have a pre-shared secret key that is expanded 
by the protocol. 

In subsection A, the structure of entanglement-assisted 
code will be introduced, as well as the notation that 
will be used throughout the paper. Subsection B re- 
views the steps of the QKE protocol proposed by Luo 
and Devetak In subsections C and D, we analyze 
the post-processing steps of the QKE protocol, and pro- 
pose improvements. In subsection E, we summarize the 
improvements of subsection D and give a QKE proto- 
col with enhanced performance compared to the original 
QKE protocol. 



A. Code construction 

This subsection summarizes the entanglement-assisted 
CSS code construction and the matrix structures in- 
volved. The notation mentioned here will be used 
throughout the later sections. 

For i = 1,2, let Cj be a classical [n, ki,d] code with 
parity-check matrix Hi of size (n — hi) x n. Based on 
the given pair of classical codes, an [[n, k\ + k 2 — n + 
c,d;c]] entanglement-assisted quantum CSS code can be 
constructed, where c = r&nk(HxH 2 ) is the number of 
ebits (or entangled pairs of qubits) needed. This code 
can protect m — k\ -\- k 2 — n + c qubits from error. After 
this process, we end up with two dual-containing classical 
codes C[ and C' 2 with "augmented" parity check matrices 
H[ and H 2 . The derivation of H[ from Hi is as follows: 

For a given pair of Hi and H 2 , there always exist 
nonsingular matrices T\ and T 2 such that 



T x H x HlT% 



0(n — fci— c)x(n — fc 2 — c) 0(n — fci— c)xc 







cx(n — k 2 — c) 



(1) 

H[ can thus be constructed as follows to assure 
that the new codes satisfy the dual- containing property, 
H[H 2 T = 0. 



Hi = {TiHi Ji), where J; 



J(n — ki — c) Xc 



(2) 



Suppose H[ and H 2 are constructed. There exist bi- 
nary matrices E± , F± , E 2 , and F 2 such that the following 
four requirements are satisfied: 

1. The rows of H[ and Ex form a basis for C 2 . 

2. The rows of H 2 and E 2 form a basis for C[. 

(H{\ j F 2 

3. Nx = I Ex j and N 2 = \ E 2 I are full rank 

matrices. 



4. NxN? = I. 

The new parity-check matrices H^ have more columns 
than the original Hi . These columns correspond to addi- 
tional qubits on the receiver's side. Before decoding, the 
sender (Alice) and the receiver (Bob) share c entangled 
pairs. Since Bob's half of these pairs do not pass through 
the channel, they are noise-free. 

The syndrome of an error is defined as the error vector 
multiplied by the parity-check matrix of the code. For 
the code C[ in our case, the syndrome corresponding to 
the error vector e is s — H[e. The set of codewords of 
the code is the set of all vectors with zero syndromes. 

The decoder for the LDPC codes considered in this 
paper is an SPA decoder [l]| that identifies a probable 
error corresponding to each syndrome. Based on the de- 
coder, the error set correctable by the code can be de- 
fined. For the code C[ with parity-check matrix H[, 
one may define such a set as £[ = {F 2 s + E 2 (3{s) + 

H' 2 T l3'{s) : a G Z^ fel }, where /30 : Z^ fcl -> Z™~and 
/3' j) : 1 2 l - kl -> 1 2 l ~ k2 are mappings fixed by the de- 
coder. For every syndrome s € ~ kl , the decoder gives 
F 2 s + E%P(s) + H 2 T f3'(s) as the probable error. The 
receiver then corrects this error on the received codeword 
to retrieve the original message. 



H' 2 



B. Luo and Devetak's quantum key expansion 
protocol 

Let Alice and Bob be the sender and receiver utiliz- 
ing the QKE protocol proposed in [l|. The steps of the 
protocol are: 

1) Alice generates a binary string a consisted of (2 + 
3<5)n random bits. 

2) Alice generates another binary string a consisted of 
(2 + 3S)n random bits, and she prepares each bit in a in 
the Z or X basis according to the corresponding bit in 
a. For example, Alice may prepare the bit in a in the 
Z basis if the corresponding bit in a is 0, and in the X 
basis otherwise. 

3) Alice sends the prepared qubits to Bob. 

4) Bob receives the qubits, and he generates a binary 
string 7 consisting of (2 + 3i5)n random bits. Bob then 
uses 7 to determine in which bases to measure the re- 
ceived qubits. To be consistent with the example in 2), 
Bob measures the received qubit in the Z basis if the 
corresponding bit in 7 is and measures in the X basis 
otherwise. Let the resulting bit string be b. 

5) Alice announces a, and Bob discards the bits in 
b where the corresponding bits in 7 and a don't match, 
that is, the bit locations where they prepare and measure 
in different bases. Bob announces which bits he discards. 
With high probability, there are at least (l + 6)n bits left; 
if not, they abort and restart the protocol. 

6) Alice randomly chooses n bits and announces the bit 
locations for Bob to extract the corresponding bits. Let 
Alice's resulting string be a, and Bob's be b. There are 
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at least nS pairs of bits left, and those pairs are used for 
channel estimation. Alice and Bob announce those bits 
to each other and count the fraction that do not match. 
If there are too many errors, they abort and restart the 
protocol. 

7) Alice attaches the length-c pre-shared bit string k 
to a. She first computes sa = H[ ^ ^ ^ anc ^ announces 
it to Bob. She then computes her part of the generated 
key, Ua = E± ' ~ 

Bob computes sb_ — H[ ( - ] , and his part of the 



generated key is ks_ — Ex ( - ] © P{sa_ © gg )- 



C. Analysis of QKE post-processing 

Consider the procedure of Luo and Devetak's QKE 
protocol formalized in the previous subsection. The er- 
ror correction is performed at the last step 8) where Bob 
computes /3(sa ffi sb). In this case, sa_ © £b is the syn- 
drome that initializes the decoding. To understand how 
the function is computed, we need to examine its 
definition and the matrix structure of the code. 

Suppose we start with two LDPC codes with parity- 
check matrices Hx and H 2 of sizes (n — k\) x n and 
(n — fc 2 ) x n, and c = rank(_Hi H 2 ). The formalism in 
subsection A gives two {n + c) x (n + c) full rank matrices 
ATi and N 2 , each formed by 3 block-matrices Ei, 
and Fi of sizes (n — ki) x (n + c), (/ci + fc 2 — n + c) x (n + c), 
and (n — kn+i mo d2)) x {n + c) respectively. H' x and H' 2 
are defined as the parity check matrices of the newly 
formed entanglement-assisted CSS code. Note that the 
two new parity-check matrices need not be low-density 
and thus the performance will be poor if one uses them 
to run the SPA decoder. However, as seen in subsection 
A, since the matrix operations transforming Hi to H[ are 
reversible, the error syndrome with respect to the original 
parity-check matrix Hi can be retrieved by doing inverse 
matrix operations on the corresponding syndrome with 
respect to H[. That is, given a syndrome corresponding 
to H[, we can find the corresponding syndrome for Hi. 
As a result, the errors can be decoded by the SPA decoder 
with LDPC matrix Hi. The details follow. 

The function /3(i), which includes the process of error 
correction, comes into the picture when the error set £\ 
correctable by the code H' x is defined. Recall from sub- 
section A, £ x = {F?s + E%(3 (s ) + H'Tp' (s) : s 6 Z™^ 1 }- 
Since the matrix N 2 formed by H' 2 , E 2 , and F 2 is a full 
rank matrix in Z 2 , the error string corresponding to a 
particular syndrome s can be retrieved by the following 
steps: 

i) Compute £_ — T^s. 



ii) Run the SPA decoder using the original LDPC 
matrix H± with the syndrome s^_. The decoded string is 
the estimated error, and we denote it by e. 



hi) Attach c O's to e and compute /3(s) = Ex \ q 



In the above steps i) and ii), the error message can be 
decoded using H± instead of H[ since the last c bits of 
the message are pre-shared by Alice and Bob, and thus 
the error message from those bits should always be a 
string of O's. The syndrome is then totally determined 
by the first n bits of the error message. This allows us 
to use the original low-density parity-check matrices for 
decoding and thus the error-correcting performance is 
maintained. 

The last step may not be trivial, and we explain it 



in the following. Using our notation, if „ _ is cor- 

y Ucx 1 J 

rectable by H' x with syndrome s, it is in the set £\ and 
can be written in the form 



e 

Ocxl 



No 




(3) 



Since JViiVj 



I, it is obvious that TVj 



ATi can then be multiplied to both sides of the above 
equation. As a result, 




e 

Ocxl 




• (4) 



It should now be clear that step hi) is valid. 



D. Improving QKE post- processing 

A very important observation based on our simulations 
is that in the cases where the channel error rates are not 
small, the bit error rates of the resulting keys are sig- 

e 



nificant whenever the estimated errors | n | are er 

Ucxl 

roneous. Specifically, the bit error rates of the keys are 
about half the block error rates for sufficiently large chan- 
nel error probabilities. Since is equivalent to multi- 
plying by a matrix, Ex , this observation implies that Ex 
is generally not sparse. Given a block error, it is likely 
that each row of Ex and the block error have overlap- 
ping non-zero elements, which on average contributes to 
a significant number of errors in the key. In other words, 
when a block error occurs the resulting key is almost to- 
tally randomized. 

From the observation above, we can apply two useful 
improvements to the protocol. 

Improvement 1 is to check the syndrome following 
the decoder's output. This allows the detection of not- 
yct-converged messages from the SPA decoder. These 
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messages must have block errors. Aborting the proto- 
col after detecting those erroneous messages greatly im- 
proves the error performance of the generated key, at the 
cost of modestly reducing the key rate, since the infor- 
mation sent through the channel in the prior stages is 
wasted. 

Improvement 2 is to check the generated keys di- 
rectly. Let the block error rate and bit error rate of the 
generated keys be denoted by Ruu and Rut ■ Since block 
errors of the keys result in a large fraction of the bits be- 
ing erroneous in each block, checking several randomly 
chosen bits allows a large probability of detecting those 
block errors. Let us assume the relationship Rut = qRbik, 
such that, on average, a block error yields a bit error rate 
of q. Suppose each time the protocol is processed, a num- 
ber of bits n are chosen randomly from the key, and are 
used for a check between the sender and the receiver. 
The bit error rate of the generated key, Rut , can then be 
calculated as 



Rbi. 



R 



bit 



(!-«/)" 



1 - Rblk + (1 - qf Rblk 



= Rutf- (5) 



The bit error rate is scaled by the factor /. For fixed 
Rblk, f decreases dramatically as /i increases. This means 
that not many bits need be checked to greatly improve 
the error performance of the key. To determine /x, we find 
the smallest fj, satisfying Rut < e, where e is the desired 
threshold for the bit error rate of the final key. That is, 



M = 







otherwise. 



(6) 



Since those randomly chosen \x bits from the key are 
revealed, the tradeoff in using this method would be to 
reduce key rate by an amount ^. 

A problem arises here, in that the pre-shared key bits 
are consumed even if the protocol fails, which could even 
result in the net key rate being negative. However, there 
is a way to get around this problem. 

In the original QKE protocol, Alice announces to Bob 

the message sa = H[ ^ ^ ^ , and Bob corrects the errors 

using the syndrome s — sa_(B H[ J = ^ ^ ^ ^ 
This syndrome can also be computed by Bob if Alice 
sends the message s_a = H[ ( ~ ] instead. In this case, 



Bob just computes s = §a ffi H[ 











Thus, instead of comparing the keys Ua = E\ 



and Ub_ = E± y - j (B(3{sa © sb) and consuming the pre- 
shared key k, it is sufficient for the two parties to compare 
kA = -Ei ( g ] and fcs = E x ( jj J (&(3(§a © |s)- In this 



way, we can postpone the consumption of the pre-shared 
keys until after the check is performed. Note that, Alice 
and Bob must discard the bits from the final key cor- 
responding to the ones they compare, since information 
about those bits is publicly revealed. 



E. Summary of the improved QKE protocol 

In this subsection, we will combine the two improve- 
ments from the previous subsection and assess the im- 
proved performance of the QKE protocol. We consider 
the case where Improvement 1 is performed first, and 
then Improvement 2 is performed if the check in Im- 
provement 1 is successful. 

Let pi be the failure rate of the check in Improve- 
ment 1. Conditioned on passing the check in Improve- 
ment 1, let P2 be the rate of bit errors in the generated 
keys followed by the remaining block errors. Also, let 
Rbik be the block error rate of the LDPC code and e be 
the error threshold that is desired for QKE. The values, 
Rblk, Pi and P2, can be determined by simulation. After 
Improvement 2 is performed, the bit error rate of the 
generated key, Rut, can then be calculated: 



Rbi 



P2 



(1 -ViY {Rblk - Pi) 
1 - Rblk + (1 - P2Y ( R bik - Pi)' 



(7) 



To determine \i, we find the smallest p, satisfying 
Rut < £• That is, 







otherwise. 



(8) 



We now outline the improved QKE protocol. Referring 
to the original QKE protocol in subsection B, the proce- 
dure up to step 6) will be the same. The steps beyond 
7) are modified as follows: 

7) Alice computes £^4 = H[ ^ q ^ an d announces it to 

Bob. 



8) Bob first computes §b_ = H' x ^ - J , and then he 

runs the SPA decoder using the original LDPC matrix 
Hi with the syndrome s[ = T^~ 1 (sa © $b)- Let the 
decoded error string be e. 

9) Bob checks if H\e © is the all-zero string. If not, 
the protocol is aborted and they start over. This is a 
result of Improvement 1. 

10) Alice randomly chooses y(i bits from Ica = Ei ^ ^ 

and announces them to Bob. Bob checks if the corrc 

/ 5 CD c \ 

sponding bits from Ub_ = Ex I - - J match the ones 

sent by Alice. If the strings do not completely match, 
the protocol is aborted and they start over. This is a 
result of Improvement 2. 
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11) Alice computes her part of the generated key as 

kji = kA ® Ei { ~ J , excluding the fi bits corresponding 

to the ones they have compared in the previous step. 
Bob also computes his part of the generated key as kg — 

%b © Ex ( ^ \ , excluding the fj, bits similarly. 

The pre-shared key is only used in the last step. There- 
fore, the pre-shared key will not be consumed if the pro- 
tocol is aborted in steps 10) or 11). The net key rate of 
this improved QKE protocol is 



R net = (1 - Rbik + (l-Jto)" (Rbik-Pi)) -. 

n 

(9) 

We will see how well this does in simulations below. 



III. FINITE GEOMETRY LDPC CODES 

Finite geometry (FG) LDPC codes were formalized by 
Kou, Lin and Fossorier There are four families of FG 
LDPC codes: type-1 Euclidean geometry (EG1) LDPC 
codes, type-2 Euclidean geometry (EG2) LDPC codes, 
type-1 projective geometry (PG1) LDPC codes, and 
type-2 projective geometry (PG2) LDPC codes. These 
classical FG LDPC codes were used by Hsieh, Yen and 
Hsu to construct EAQECCs with good performance that 
use relatively little entanglement [l0| . In this section, we 
briefly restate the results from 0] and [l(| and introduce 
the construction of FG LDPC codes. 



Hegi{Pi s) consists of n — 2 ps — 1 columns and J — 
(2(p-i)«-1)(2p s -1)/(2 s -1) rows, and it has the following 
structure: 

1. Each row has weight p r — 2 s . 

2. Each column has weight p c = (2P S - l)/(2 s - l) - 1. 

3. Any two columns have at most one "1-component" 
in common. 

4. Any two rows have at most one "1-component" in 
common. 

The density of H EG1 (p,s) is 2 S /(2P S - 1), which is 
small for p or s large. Then Hegi iPi s) is a low-density 
matrix. 

The LDPC code with parity-check matrix Hegi (p, s) 
is called a type-1 Euclidean geometry LDPC code, and 
we denote it by EGl(p, s). 

Let H E G2(p,s) = H E gi(p,s) t . Then ff £G2 (p, s) 
is a matrix with 2P S - 1 rows and (2^-^ s - l)(2 ps - 
1)/(2 S — 1) columns. The rows of Heg2(p, s) are the 
non-origin points of EG(p, 2 s ), and the columns are the 
lines in EG(p, 2 s ) not passing through the origin, and it 
has the following structure: 

1. Each row has weight p r = (2P S - 1)/(2 S - 1) - 1. 

2. Each column has weight p c = 2 s . 

3. Any two columns have at most one "1-component" 
in common. 

4. Any two rows have at most one "1-component" in 
common. 

The LDPC code with parity-check matrix Heg2{Pi s) 
is called a type-2 Euclidean geometry LDPC code, and 
we denote it by EG2(p, s). 



A. Euclidean geometry (EG) LDPC codes 

Let EG(p, 2 s ) be an p-dimensional Euclidean geome- 
try over the Galois field GF(2 S ), where p, s e N. This 
geometry consists of 2 ps points, where each is an p-tuple 
over GF(2 S ). The all-zero p-tuple is defined as the ori- 
gin. Those points form an p-dimensional vector space 
over GF(2 S ). A line in EG(p, 2 s ) is a coset of a one- 
dimensional subspace of EG(p, 2 s ), and each line consists 
of 2 s points. There are 2^-^ s {2P s - 1) /(2 s - 1) lines. 
Each line has 2( p-1 ) s — 1 lines parallel to it. Each point 
is intersected by (2P S - 1)/(2 S - 1) lines. 

Let GF(2 ps ) be the extension field of GF(2 S ). Each 
element in GF(2 ps ) can be represented as an p-tuple 
over GF(2 S ), and hence a point in EG(p, 2 s ). There- 
fore, GF(2 ps ) may be regarded as the Euclidean geome- 
try EG(p,2 s ). Let a be a primitive element of GF(2P S ). 
Then 0, a , a 1 , a 1 , a 2 ~ 2 represent the 2 ps points of 
EG(p,2 s ). 

Let Hegi(p, s) be a matrix over GF(2). The rows of 
Hegi{Pi s) are the incidence vectors of all the lines in 
EG(p, 2 s ) not passing through the origin. The columns of 
Hegi{Pi s) are the 2 ps — 1 non-origin points of EG(p, 2 s ), 
and the ith column corresponds to the point a z_1 . Then 



B. Projective geometry (PG) LDPC codes 

Let GF(2(p +1 ) s ) be the extension field of GF(2 S ). Let 
a be a primitive element of GF(2' P+1 ) S ). Let n — 
(2(p+i)s_1)/(2 s -1) and?] = a n . Then rj has order 2 s - 1, 
and the 2 s elements 0, 77°, r] 1 ,!] 2 , i] 2 ~ 2 form all the ele- 
ments of GF(2 S ). Consider the set {a°, a 1 , a 2 , a™ -1 }, 
and partition the non-zero elements of GF(2( m+1 ) s ) into 
n disjoint subsets {a 1 , -qa 1 , r/ 2 a l , r] 2S ~ 2 a 1 }, for i £ 
{0,1,... ,n — 1}. Each such set is represented by its first 
element (a 4 ), for i € {0, 1, n — 1}. 

If each element in GF(2^ P+1 ) S ) is represented as a 
(p + l)-tuple over GF(2 S ), then (a 1 ) consists of 2 s - 1 
(p + l)-tuples over GF(2 S ). The {p + l)-tuple over 
GF(2 S ) that represents (a 1 ) can be regarded as a point 
in a finite geometry over GF(2 S ). Then the points 
(a ), (a 1 ), (a 2 ), (a™ -1 ) form a p-dimensional projec- 
tive geometry over GF(2 S ), denoted PG(p, 2 s ). (Note 
that a projective geometry does not have an origin.) 

Let Hpai(p, s) be a matrix over GF(2). The rows 
of Hpg±{p,s) are the incidence vectors of all the lines 
in PG(p, 2 s ). The columns of Hpai(p, s) are the n 
points of PG(p, 2 s ), and the ith column corresponds to 
the point (a 1-1 ). Then Hpai(p, s) consists of n — 
(2(p+i)s - i)/(2 s - 1) columns and J = (2?> s + ... + 2 s + 
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1)(2(p-i)s + ... + 2 s + l)/(2 s + 1) rows, and it has the 
following structure: 

1. Each row has weight p r = 2 s + 1. 

2. Each column has weight p c = (2*> s - 1)/(2 S - 1). 

3. Any two columns have at most one "1-component" 
in common. 

4. Any two rows have at most one "1-component" in 
common. 

The density of H PG1 (p,s) is (2 2s - l)/(2^ +1 ) s - 1), 
which is small for p or s large. Then Hpci(p, s) is a 
low-density matrix. 

The LDPC code with parity-check matrix Hpci (j>, s) 
is called a type-1 projective geometry LDPC code, and 
we denote it by PGl(p, s). 

Let H PG2 (p,s) = H PG1 (p,s) T . Then H PG2 (p,s) 
is a matrix with (2 ( -P +1 '> s - 1)/(2 S - 1) rows and (2^ s + 
... + 2 s + 1)(2(p- 1 ) s + ... + 2 s + 1)/(2 s + 1) columns. The 
rows of Hpa2(Pi s) are the points of PG(p, 2 s ), and the 
columns are the lines in PG(p, 2 s ), and it has the follow- 
ing structure: 

1. Each row has weight p r = (2*> s - 1)/(2 S - 1). 

2. Each column has weight p c — 2 s + 1. 

3. Any two columns have at most one "1-component" 
in common. 

4. Any two rows have at most one "1-component" in 
common. 

The LDPC code with parity-check matrix Hpc^ip, s) 
is called a type-2 projective geometry LDPC code, and 
we denote it by PG2(p, s). 



C. Extension of finite geometry LDPC codes by 
column and row splitting 

A finite geometry LDPC code with n columns and J 
rows can be extended by splitting each column of its 
parity-check matrix H into multiple columns. If the split- 
ting is done properly, very good extended finite geometry 
LDPC codes can be obtained. 

Let <?iiS2j ■■■t9ii be the columns of H. Let c sp be the 
column splitting factor, c sp £ {1, 2, p c }. Then the 
column splitting can be done by splitting each gi into 
c sp columns g^i, gt^, gi,c sp , and distribute the ones 
of the original column among the new columns accord- 
ingly. So that the columns ^1,^2, ...,gi, p c - c spl-§f;\ 

have weights — -I- 1, and the other columns have weights 

Csp 

Pc 

After column splitting, we can proceed with row split- 
ting, that is, determine a row splitting factor r sp £ 
{1, 2, p r } and follow similarly the process of column 
splitting. 

We denote EGl(p,s,c sp ,r sp ) as the LDPC code con- 
structed by an EGl(p,s) LDPC code with column 
and row splitting factors c sp and r sp . The codes 
EG2(p : s,c sp ,r sp ), PGl(p,s,c sp ,r sp ), PG2(p, s,c sp ,r sp ) 
are defined similarly. 



IV. SIMULATION RESULTS 

In this section, we provide simulation results of our 
QKE protocol with FG codes. We use the same 
LDPC code for both C\ and C2 in constructing the 
entanglement-assisted CSS code for our QKE protocol. 
The channel for quantum communication is assumed to 
be a depolarizing channel, and the channel error prob- 
ability P e in the simulation corresponds to that of the 
equivalent classical binary-symmetric channel (BSC). We 
use Monte Carlo simulation with sample sizes of 200, 000. 
We allow the SPA decoder to iterate a maximum of 100 
times. The channel error probabilities range from 2% to 
8% in steps of 0.5%. 

Since many codes perform well when P e is small, we 
are mostly interested in codes that have good perfor- 
mance for higher P e , such as might occur in realistic 
experiments. Let [[n, m; c]] be the parameters of the 
entanglement-assisted code, and R ne t be the original net 
key rate of QKE using that code; that is, R ne t = m ^ £ - 
This means that the QKE protocol expands a key of 
length c to a key of length m. For a code to serve 
the purpose of performing key "expansion," one requires 
Rnet to be positive. Table U demonstrates all possible 
i?Gl(2, 5, c sp , r sp ) codes with positive R ne t that have 
block length n < 11000. In Fig. HJ we show the QKE 
performance of the original protocol, in terms of bit er- 
ror rate, of some codes from Table |U 



TABLE I. List of EG1(2, 5, c sp , r sp ) codes with positive net 
key rates that have block length n < 11000. 



[[n, m; c]] 


Csp 


* sp 


Rnet 


[[1023, 571; 32]] 


1 


1 


0.5269 


[[2046, 452; 450]] 


2 


1 


0.0010 


[[3069, 2045; 1022]] 


3 


1 


0.3333 


[[4092, 3068; 1020]] 


4 


1 


0.5005 


[[4092, 2038; 2034]] 


4 


2 


0.0010 


[[5115,4091; 1022]] 


5 


1 


0.6000 


[[5115,3067; 2044]] 


5 


2 


0.2000 


[[6138,5114; 1022]] 


6 


1 


0.6667 


[[6138, 4090; 2044]] 


6 


2 


0.3333 


[[7161,6137; 1022]] 


7 


1 


0.7143 


[[7161, 5115; 2046]] 


7 


2 


0.4286 


[[7161, 4092; 3069]] 


7 


3 


0.1429 


[[8184, 7152; 1012]] 


8 


1 


0.7502 


[[8184, 6138; 2042]] 


8 


2 


0.5005 


[[8184, 5115; 3067]] 


8 


3 


0.2502 


[[8184, 4094; 4082]] 


8 


4 


0.0015 


[[9207,8181; 1020]] 


9 


1 


0.7778 


[[9207, 7161; 2046]] 


9 


2 


0.5556 


[[9207, 6134; 3065]] 


9 


3 


0.3333 


[[9207, 5115; 4092]] 


9 


4 


0.1111 


[[10230, 9202; 1018]] 


10 


1 


0.8000 


[[10230, 8182; 2044]] 


10 


2 


0.6000 


[[10230, 7160; 3068]] 


10 


3 


0.4000 


[[10230, 6132; 4086]] 


10 


4 


0.2000 



In Fig. [21 we set the generated keys' bit error threshold 
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TABLE II. List of PG1(2,5 



codes with positive net 



key rates that have block length n < 11000. 



;l Error Probability, Pe 



FIG. 1. Bit error rate of the keys generated by the original 
QKE protocol with selected codes from EG1(2, 5, c ap , r sp ). 




FIG. 2. Net key rate of the improved QKE protocol with 
selected codes from EG1(2, 5, c sp , r 3p ) and error threshold e = 
KT 6 . 



to e = 10~ 6 , and simulate QKE with the improved QKE 
protocol from section II. We present the performance, in 
terms of net key rate, using some codes from Table HI 

Table [TT1 demonstrates all possible PG1(2, 5, c sp , r sp ) 
codes with positive R ne t that have block length n < 
11000. In Fig. [21 we present the QKE performance of 
the original protocol, in terms of bit error rate, of some 
codes from Table 2. 

In Fig.Hl we set the generated keys' bit error threshold 
to e = 10~ 6 and simulate QKE with the improved QKE 
protocol proposed in section II. We present the perfor- 
mance, in terms of net key rate, using some codes from 
Table ID 

Note that for channel error rates less than 2%, we may 
consider the code PG1(2, 5, 9, 2), which has a net key rate 
of about 0.5556. Considering channel error rates much 
lower than 2%, we can use other codes in the family which 
have even larger net key rates. 

In Fig.[5j we set the generated keys' bit error threshold 
to e = 10~ 6 , and we present the QKE net rate using the 
codes from both Table Q] and |TT] that perform the best in 
each channel error region. As can be seen, quite reason- 
able key rates can be achieved even for error probabilities 



[[n, rn; c]] 


Csp 


^s P 




[[1057, 570; 1]] 


1 


1 


0.5383 


[[2114,490 


488]] 


2 


1 


0.0009 


[[3171,2112 


1055]] 


3 


1 


0.3333 


[[4228, 3172 


1056]] 


4 


1 


0.5005 


[[4228,2114 


2112]] 


4 


2 


0.0005 


[[5285,4227 


1056]] 


5 


1 


0.6000 


[[5285,3171 


2114]] 


5 


2 


0.2000 


[[6342, 5284 


1056]] 


6 


1 


0.6667 


[[6342, 4228 


2114]] 


6 


2 


0.3333 


[[7399, 6341 


1056]] 


7 


1 


0.7143 


[[7399, 5285 


2114]] 


7 


2 


0.4286 


[[7399, 4227 


3170]] 


7 


3 


0.1429 


[[8456, 7399 


1055]] 


8 


1 


0.7502 


[[8456, 6342 


2112]] 


8 


2 


0.5002 


[[8456, 5286 


3170]] 


8 


3 


0.2502 


[[8456, 4229 


4227]] 


8 


4 


0.0002 


[[9513, 8455 


1056]] 


9 


1 


0.7778 


[[9513, 7399 


2114]] 


9 


2 


0.5556 


[[9513, 6342 


3171]] 


9 


3 


0.3333 


[[9513, 5284 


4227]] 


9 


4 


0.1111 


[[10570,9511; 1055]] 


10 


1 


0.8000 


[[10570, 8456; 2114]] 


10 


2 


0.6000 


[[10570, 7399; 3171]] 


10 


3 


0.4000 


[[10570, 6342; 4228]] 


10 


4 


0.2000 




FIG. 3. Bit error rate of the keys generated by the original 
QKE protocol with selected codes from PG1(2, 5, c sp , r sp ). 



above 7%. 

It is worthwhile comparing our results to the recent 
work by Elkouss, Leverrier, Alleaume and Boutros [12j . 
In their work, a set of 9 irregular LDPC codes were found 
for QKD based on the BB84 protocol. With a bit error 
rate threshold of the generated keys on the same order as 
ours (1.5 x 10~ 6 in their case), their net key rate perfor- 
mance exceeds ours by roughly 15 — 20% over the same 
channel error regions. However, this is not too surpris- 
ing, since the they consider LDPC codes with very large 
block sizes (on the order of 10 6 bits), while ours have 
much more modest block sizes (on the order of 10 3 ). We 
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PG1 (2,5,6,: 

— I — PG1 (2,5,7,: 
— B — PG1 (2,5,7,: 
PG1(2,5,a,: 




Channel Error Probability. Pe 



FIG. 4. Net key rate of the improved QKE protocol with 
selected codes from PG1 (2, 5, c sp , r sp ) and error threshold e = 
f(T 6 . 




Channel Error Probability, Pe 



FIG. 5. Net key rate of the improved QKE proto- 
col with selected codes from both EG1(2, 5, c ap , r sp ) and 
PG1(2, 5, c sp , r sp ) that perform well in the various channel 
error regions. 



believe the sizes of our codes are reasonable for practical 
use. Given much greater computing resources for post- 
processing, it should be easy to construct very large codes 
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in our family of LDPC codes that would have better net 
key rates. 



V. CONCLUSION 

In this paper, we have proposed a protocol for QKE 
that is an improved version of the protocol proposed by 
Luo and Devetak. The modifications are done to filter 
out block errors, which allows us to greatly reduce the 
bit error rate of QKE with only a small reduction in 
the net key rate. In addition, we have studied a family of 
LDPC codes based on finite geometry that are capable of 
protecting the QKE protocol from errors even when the 
channel is moderately noisy. The figures in the previous 
section show clearly which codes one should choose to 
efficiently expand the keys. 

In the near future we will investigate other families of 
codes for this QKE protocol. The LDPC codes generated 
by finite geometry are a rich family. Besides the family of 
FG codes constructed by the method of column and row 
splitting, we have also examined several codes in a family 
of quasi-cyclic FG LDPC codes d Q that perform well 
for our QKE protocol. Another possible task is to further 
enhance the QKE protocol. For example, the matrix E± 
is not unique. If we have a way to search for an E± 
having density as low as possible, then the block error 
rate of the code may not affect the bit error rate of the 
key by as much. 
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